RUGGEDCOM ROS
User Guide
Chapter 1
Introduction
Credential Files
5
• Enable BPDU Guard on ports where RSTP BPDUs are not expected.
• Use the latest Web browser version compatible with RUGGEDCOM ROS to make sure the most secure Transport
Layer Security (TLS) versions and ciphers available are employed. Additionally, 1/n-1 record splitting is
enabled in the latest web browser versions of Mozilla Firefox, Google Chrome and Internet Explorer, and
mitigates against attacks such as SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability (BEAST) for Non-Controlled (NC) versions of RUGGEDCOM ROS.
• Modbus can be deactivated if not required by the user. If Modbus activation is required, then it is recommended
to follow the security recommendations outlined in this User Guide and to configure the environment according
to defense-in-depth best practices.
• Prevent access to external, untrusted Web pages while accessing the device via a Web browser. This can assist in
preventing potential security threats, such as session hijacking.
• For optimal security, use SNMPv3 whenever possible. Use strong passwords without repetitive strings ( e.g.
abc
or
abcabc
) with this feature. For more information about creating strong passwords, refer to the password
requirements in
Section 4.3, “Configuring Passwords”
.
• Unless required for a particular network topology, the
IP Forward
setting should be set to { Disabled } to prevent
the routing of packets.
NOTE
For configuration compatibility reasons, the configured setting will not change when upgrading from
RUGGEDCOM ROS versions older than v4.2.0 to v4.2.0 and newer. This setting is always enabled and
cannot be configured on versions before v4.2.0. For new units with firmware v4.2.0 this setting is
configurable and disabled by default.
Policy
• Periodically audit the device to make sure it complies with these recommendations and/or any internal security
policies.
• Review the user documentation for other Siemens products used in coordination with device for further security
recommendations.
Section 1.2.2
Credential Files
RUGGEDCOM ROS uses security keys to establish secure remote logins (SSH) and Web access (SSL).
It is strongly recommended that a unique SSL certificate and SSH keys be created and provisioned. New
RUGGEDCOM ROS-based units from Siemens will be shipped with a unique certificate and keys preconfigured in
the
ssl.crt
and
ssh.keys
flash files.
The default and auto-generated SSL certificates are self-signed. It is recommended to use an SSL certificate that
is either signed by a trusted third-party Certificate Authority (CA) or by an organization's own CA. This technique
is described in the Siemens application note:
Creating/Uploading SSH Keys and SSL Certificates to ROS Using
Windows
, available from
The sequence of events related to Key Management during an upgrade to RUGGEDCOM ROS v4.3 or later is as
follows:
NOTE
The auto-generation of SSH keys is not available for Non-Controlled (NC) versions of RUGGEDCOM ROS.
• On first boot, RUGGEDCOM ROS will start the SSH and SSL services using the
default keys
.